Skip navigation
Login   |   Register
Cisco Learning Home > Certifications > Routing & Switching (CCNP) > Discussions


2009 Views 5 Replies Latest reply: Apr 13, 2012 7:21 AM by Irfan Sri RSS

Currently Being Moderated

how to config Split Tunnel on ASA 8.2 ??

Mar 30, 2012 1:50 PM

Irfan Sri 100 posts since
Feb 28, 2012

Hi ,


I need to give access to branch office for a web address of out side of vpn tunnel, our branch office connected to our main office using ipsec vpn tunnel. vpn tunnel created between two ASA firewall outside interfaces or main office and branch office. branch office ASA only have inside and outside interfaces, (other interfaces are disabled) so branch office network or one of host need to connect 208.66.130.xx ip on Internet.

so the branch office traffic will come to main office ASA outside interface using vpn tunnel and it need to go out  again web address ip using same outside interface, main office also can access the same web address (208.66.xx.xx ) of outside interface,

so if branch office need to go out from the tunnel . can i configure split tunnel on main office ASA? can anybody explain me how to config split tunnel using CLI, i cannot find any tab or anything on ASDM for split tunnel as cisco document. as follows. our ASA version is 8.2(2)



  • Paul Stewart  -  CCIE Security 7,570 posts since
    Jul 18, 2008
    Currently Being Moderated
    1. Mar 30, 2012 8:27 PM (in response to Irfan Sri)
    Re: how to config Split Tunnel on ASA 8.2 ??

    Split tunneling is really a concept for remote access VPN. It sounds like you have a standard Lan to Lan VPN. With that, what is tunneled is whatever matches the crypto acl. So are you wanting to hairpin all of the branch traffic through the main asa, or allow it to connect to the Internet directly.  The crypto acl will certainly define what is encrypted. If you are planning to route the branch traffic through the main ASA, where is the NAT configured?

    Join this discussion now: Login / Register
  • On a router you could route the traffic out the source interface that is directly connected to the Internet, but seeing how this is an ASA, I'm not sure.


    You might be able to do the same thing by creating a static route to force the traffic out the ASA Outside interface, but I'm not sure about the details. Like Paul mentioned, you might need to setup NAT, also possibly adding some rules to allow traffic to flow between the Inside and Outside interfaces.


    If you do get it to work, I'm curious what you had to do.





    Join this discussion now: Login / Register
  • Gamalier Sanchez Javier 12 posts since
    Nov 16, 2010

    Well, I don't understand very well what is that you want to do, but I think that it could be done very simple.


    If you have a branck office connecting to your HQ, you have a Site-to-site, like Paul said. And that thought is enforced with the fact that in your configuration there's not a crypto dynamic map.


    You said that you want to communicate the branch office with some host in the Internet across the VPN with your HQ. You can do that specifying the Internet host with the specific port in the crypto ACL. with that, when the branch office need to connect with that Webpage, the traffic will pass across the tunnel and the traffic not included in the ACL will bypass the tunnel and go directly to the Internet. If you don't want to pass that traffic directly to the Internet and just permit the tunneled traffic, the strategy is the same, but with an additional ACL (or something alike) directrly applied at interface level. The ACL will work the same way that Split Tunneling in Remote Access. That must be the reason Split Tunneling is not present in Site-to-site.


    Well, I think you can solve the issue with that.

    Join this discussion now: Login / Register


More Like This

  • Retrieving data ...

Bookmarked By (0)